From a7bef1eb2d4bcd45a840f073975a98dbbd0f25d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= Date: Mon, 27 Jul 2015 09:36:17 +0200 Subject: [PATCH] Change the default value of cookie_httponly to fix #15303 --- UPGRADE-2.8.md | 30 ++++++++++++++----- .../DependencyInjection/Configuration.php | 2 +- .../DependencyInjection/Fixtures/php/full.php | 2 +- .../DependencyInjection/Fixtures/xml/full.xml | 2 +- .../DependencyInjection/Fixtures/yml/full.yml | 2 +- .../FrameworkExtensionTest.php | 2 +- 6 files changed, 27 insertions(+), 13 deletions(-) diff --git a/UPGRADE-2.8.md b/UPGRADE-2.8.md index 966f1f4711..0701ad8f83 100644 --- a/UPGRADE-2.8.md +++ b/UPGRADE-2.8.md @@ -8,32 +8,32 @@ Form option together with the `Valid` constraint instead. Contrary to "cascade_validation", "constraints" must be set on the respective child forms, not the parent form. - + Before: - + ```php $form = $this->createForm('form', $article, array('cascade_validation' => true)) ->add('author', new AuthorType()) ->getForm(); ``` - + After: - + ```php use Symfony\Component\Validator\Constraints\Valid; - + $form = $this->createForm('form', $article) ->add('author', new AuthorType(), array( 'constraints' => new Valid(), )) ->getForm(); ``` - + Alternatively, you can set the `Valid` constraint in the model itself: - + ```php use Symfony\Component\Validator\Constraints as Assert; - + class Article { /** @@ -136,3 +136,17 @@ DependencyInjection ``` + +FrameworkBundle +--------------- + + * The default value of the parameter `session`.`cookie_httponly` is now `true`. + It prevents scripting languages, such as JavaScript to access the cookie, + which help to reduce identity theft through XSS attacks. If your + application needs to access the session cookie, override this parameter: + + ```yaml + framework: + session: + cookie_httponly: false + ``` diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php index 977c0669c4..b2ff3d7c59 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php @@ -340,7 +340,7 @@ class Configuration implements ConfigurationInterface ->scalarNode('cookie_path')->end() ->scalarNode('cookie_domain')->end() ->booleanNode('cookie_secure')->end() - ->booleanNode('cookie_httponly')->end() + ->booleanNode('cookie_httponly')->defaultTrue()->end() ->scalarNode('gc_divisor')->end() ->scalarNode('gc_probability')->defaultValue(1)->end() ->scalarNode('gc_maxlifetime')->end() diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php index a035b56d70..677d8e8c10 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php @@ -32,7 +32,7 @@ $container->loadFromExtension('framework', array( 'cookie_path' => '/', 'cookie_domain' => 'example.com', 'cookie_secure' => true, - 'cookie_httponly' => true, + 'cookie_httponly' => false, 'gc_maxlifetime' => 90000, 'gc_divisor' => 108, 'gc_probability' => 1, diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml index bf4537b910..dfd651574e 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml @@ -14,7 +14,7 @@ - + text/csv diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml index 47513b1f66..ad0b903e86 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml @@ -24,7 +24,7 @@ framework: cookie_path: / cookie_domain: example.com cookie_secure: true - cookie_httponly: true + cookie_httponly: false gc_probability: 1 gc_divisor: 108 gc_maxlifetime: 90000 diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php index edace5bf7a..4eeee524fb 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php @@ -149,7 +149,7 @@ abstract class FrameworkExtensionTest extends TestCase $this->assertEquals('/', $options['cookie_path']); $this->assertEquals('example.com', $options['cookie_domain']); $this->assertTrue($options['cookie_secure']); - $this->assertTrue($options['cookie_httponly']); + $this->assertFalse($options['cookie_httponly']); $this->assertEquals(108, $options['gc_divisor']); $this->assertEquals(1, $options['gc_probability']); $this->assertEquals(90000, $options['gc_maxlifetime']);